When a webapp is used by multiple domains, cookie-domain can not be set in configuration because it accepts only 1 domain. When domain name switches hosts, such as from "www" to "secure" the cookie must be maintained. cookie-domain cannot be blank, because Resin defauls to use the full host name, such as "www.foo.com", which is then lost at the switch to "secure.foo.com".